Google Workspace
Google Workspace is the primary identity and collaboration platform. This page covers how the nomenclature maps to Workspace constructs.
Groups
Section titled “Groups”Every group type in our nomenclature maps to a Google Group with specific settings. See the Groups section for the full taxonomy. The key Workspace-specific details:
Creation Procedure
Section titled “Creation Procedure”Follow the Admin UI order: Group Information → Access Settings → Security Settings.
- Group Information: Set email, name, description per canonical patterns.
- Access Settings: Configure posting, membership, viewing per group type.
- Security Settings: Set CEL restrictions, allowlists, and Locked status.
Labels
Section titled “Labels”- Mailing: ON for all groups.
- Security (irreversible): ON for Dept/Team/Role groups. OFF for Mail/Intake/Alerts/Infra/People/Ident.
- Locked: ON if automation manages membership/settings.
Description Trailers
Section titled “Description Trailers”Every group description ends with exactly one of:
Security group ({concise purpose})Non-security group ({concise purpose})- Optionally:
Locked group ({reason})
Shared Drives
Section titled “Shared Drives”Drive Naming Convention
Section titled “Drive Naming Convention”{INT|EXT}_{ORG}_{Purpose}_{Channel}_{State}_{Sensitivity}| Component | Values |
|---|---|
| Visibility | INT (internal), EXT (external-safe) |
| Org | PRV, OCS, PQX, etc. |
| Purpose | Customers-{CusPascal}, Marketing, Operations, etc. |
| Channel | COLLAB, TEAM, STRICT, ARCH |
| State | Active, Archived |
| Sensitivity | Public, Private, Confidential, Restricted |
Examples
Section titled “Examples”EXT_PRV_Customers-SlopeClinical_COLLAB_Active_PrivateINT_PRV_Customers-SlopeClinical_TEAM_Active_PrivateINT_PRV_Customers-SlopeClinical_STRICT_Active_ConfidentialINT_PRV_Marketing_TEAM_Active_PrivateINT_PRV_Security_STRICT_Active_RestrictedThin Root Rule
Section titled “Thin Root Rule”Every drive root is a thin root — navigation and admin only, no working content. Standard root files:
README.mdINDEX.mdCHANGELOG.md_shared/00_inbox/
OUs (Organizational Units)
Section titled “OUs (Organizational Units)”OUs define policy buckets (device posture, session length, DLP rules). They never grant access. See People & Identity for the full OU tree.
Root Defaults
Section titled “Root Defaults”Applied tenant-wide unless overridden:
- 2-Step Verification: Required (FIDO2 preferred)
- Sessions: 8-12h default
- Mail: IMAP/POP off, auto-forward off, external banners on
- OAuth/Marketplace: Restricted/allowlist
- Logging: Admin, Drive, DLP, Vault exports enabled
GAM Automation
Section titled “GAM Automation”GAM (Google Apps Manager) is used for bulk operations. Common patterns:
Create a Group
Section titled “Create a Group”ORG="prv"DOMAIN="provisionr.com"
EMAIL="${ORG}-eng-team-apps@${DOMAIN}"NAME="PRV – Team – Engineering – Apps"DESC="${NAME}: Application delivery & features | App engineers | Repos, pipelines, code quality | Security group (internal team coordination)"
gam create group "${EMAIL}" name "${NAME}" description "${DESC}"gam update group "${EMAIL}" settings securitylabel onNest a Team into a Department
Section titled “Nest a Team into a Department”gam update group "${ORG}-eng-dept@${DOMAIN}" add member "${ORG}-eng-team-apps@${DOMAIN}"Audit Group Ownership
Section titled “Audit Group Ownership”# Find groups with fewer than 2 ownersgam print group-members type owner | awk -F',' '{count[$1]++} END{for(g in count) if(count[g]<2) print g, count[g]}'Export Drive Permissions
Section titled “Export Drive Permissions”gam print drivefileacls query "name contains 'PRV'" fields id,emailaddress,role,typeQuarterly Review Checklist
Section titled “Quarterly Review Checklist”- All groups have >= 2 owners
- Security labels match group type (ON for Dept/Team/Role, OFF for pipes)
- No externals on TEAM or STRICT drives
- OAuth/Marketplace allowlists are current
- OU policies match canonical settings
- Description trailers are present and correct
- Archive is ON for all mail pipe groups